Archive for stupid

How The Mighty Have Fallen

Posted in security with tags , , , , , on May 3, 2010 by hellnbak

Full Disclosure:  I am a former eEye employee and managed their now pretty much dead Research Department.  Something of which, after reading this post, I can honestly say I am embarrassed to admit.  This is a classic case of the insane taking over the asylum.

This morning a friend of mine pointed out this blog post –>  http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands

I actually had to double-check that this was a legitimate BLOG from eEye and sadly it appears that this is in fact a real post from someone who has been at eEye for a very long time or as we used to put it — “during the glory days”.  I am almost at a loss as to where to start ripping on this shortsighted and outright stupid post.

I guess the best place to start is with their BLOG title;  “Security Focus – Insights from the Frontlines”.  One would expect that a company with the knowledge and background of eEye Digital Security would know that the “Security Focus” name has been in use by a company now owned by Symantec for a very long time.  Did all original thought leave that company during the mass exit of their research team? 

OK, I agree making fun of their lack of originality of a BLOG title is probably being a little over critical so lets look at the content of the post itself.  Right from sentence one eEye comes off as being completely clueless;

“After a lifetime in the vulnerability assessment field, I’ve come to look at penetration testing almost as a kind of crime, or at least a misdemeanor.”

A crime?  Not this argument again.  Was Morey asleep for the 80s and early 90s?  Penetration Testing by definition is not a crime.  In fact, it is something that is done with permission (usually written permission) of the targets in question.  Perhaps what Morey is attempting to say is that “cracking” (for lack of a better word) or (sorry have to use it) hacking without permission is a crime.  Penetration Testing is not.  Did eEye consider this a crime when they sold Retina?  What about when they released detailed advisories that assisted in the creation of exploit code?  Why didn’t Morey, who was around for these things, not share his objection to this apparent crime?

“We enjoy freedom of speech, even if it breaks the law or license agreements. Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices”

Apparently Morey is not a lawyer.  Actually neither am I but most of us have the common sense to know that freedom of speech does not take precedence over a license agreement or EULA.  Freedom of speech is a great right we all enjoy but it does not protect any of us when we choose to violate other laws or agreements.  Hearing eEye rally in support of a EULA is amusing to me especially for those that remember the IDA Pro incident (google it).

“Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.”

Point being?  Is this really his argument?  I thought the mass damaging of brain cells via alcohol abuse left eEye a few years ago.  Apparently not.  I could use a rolled up newspaper to break the law.  For example, I could take this paper, roll it up and beat some sense into the author of this post — which would be some form of assault.  Does that mean we should all rally against newspapers because clearly in the wrong hands they can be used for evil?  Of course not!

“Making these tools readily available is like encouraging people to play with fireworks.”

It is the playing of these so-called “fireworks” that has improved the state of security today.  Without it, we would still be stuck in the 80s and guys like Morey would be selling used cars and not security software.  I won’t bother continually quoting and ripping apart each clueless sentence that came out of Morey’s keyboard.  But he does go on to be a little more obvious in his intentions by saying that it is the FREE tools that are the problem.  I guess now that Code Red, Nimda, and Slammer are a thing of the past eEye needs a new way to sell their product. 

This is the equivalent of blaming a firearm manufacturer for murder.  Guns don’t kill people.  People kill people and sometimes do so with a gun.  Licensing and tracking those who have Penetration Testing tools will not improve or change anything.  Do you think someone who willingly breaks the laws will care one bit about legitimately licensing a tool?  Do you think that everyone who commits a computer crime uses a free tool like Metasploit?  Obviously not.

If I was an eEye customer, and thank god I am not, I would be very concerned that someone who holds the title of “Director, Product Management” clearly has no clue about the security industry, what a real penetration test is, and what the value of tools like Metasploit offer.  It would be interesting to know how many modules in Metasploit were written as a direct result of information released by eEye Research.  I bet its more than one or two.  Perhaps eEye should be concentrating on improving their own products so they can actually compete with the free alternatives vs demonstrating a complete lack of coherent thought on their blog.

Would that make Morey not only clueless but also a complete hypocrite?

Advertisements

Apparently Time Has Reversed – Not The Disclosure Debate Again?!?

Posted in security with tags , , , , , , , , , , , , , , on April 23, 2010 by hellnbak

Remember  back in 2001 when researchers were compared to Terrorists and the term “Information Anarchy” was coined?  You can read this blast from the past here –>  http://www.windowsitpro.com/article/windows-client/information-anarchy-the-blame-game-.aspx

As the saying goes, those who do not learn from history are doomed to repeat it, or something like that we have this clueless blog post over on the Verizon Business Blog –>  http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/

The gem of this post is:

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

Sigh.  Really?  One would think that a business with the word “Intelligence” in it would actually show some.  Meanwhile we all know that the “intelligence” is nothing more than a bunch of drones monitoring IPS logs and being yelled at when the technology they have pimped out does not actually detect a real world threat.  So instead of actually attempting to improve things it is much easier to point fingers, call names and attempt to blame researchers.

Researchers *DESERVE* credit for their finds because while they are causing short-term pain (short-term pain Verizon Business is able to invoice clients for) they are affecting long-term changes.  History has proven, when a vendor gets tired of being hammered by security issues that vendor starts taking security seriously and begins to improve.  Let us not forget that the majority of researchers do this FOR FREE, so giving them some resume fodder and recognition should not be such a big deal.

Verizon Business’ entire business model falls apart if it was not for these so-called “Narcissistic Vulnerability Pimps” giving your drones something to submit billable hours for.  Or how about the fact that Verizon Business themselves have and may very will still employ the exact people they are attempting to point fingers at.  I know for a fact that at one time (maybe still) a couple very high-profile “Pimps” were receiving paychecks from Verizon.

I am totally stealing this comment from Charlie Miller’s twitter (http://twitter.com/0xcharlie) but based on this blog post — Verizon Business are the whores that the vulnerability Pimps peddle to.  Given the choice of being a pimp or a whore I would pick pimp any day of the week, the wage is better, the benefits are better and who doesn’t like smacking a ho once in a while?

Lets back up a second and try to determine exactly what Verizon is complaining about.  I suppose they are trying to point out the difference between a researcher that follows responsible disclosure vs one that does not.  So why the silly name calling?  Why not just simply put it that way.  There are those that believe in responsible disclosure and there are those that do not.  Kind of simple isn’t it?  Oh wait, that does not make for a good blog post to generate some attention and traffic — much like this one.

While I am ranting about what is probably the most ass backwards blog post this year I might as well share my opinion on the whole disclosure thing and yes I do truly believe that this is beating a dead horse as there will never be an opinion that is completely correct.

There was a time, especially around the 2001 timeframe, when I believed that reporting a bug to a vendor, then giving said vendor a set amount of time (30 days in my case) to fix a vulnerability was the right thing to do.  After 30 days expires, release full details on the vulnerability and move on. 

Over the years, and as I began to work for various software and hardware vendors, my thoughts on this slighty changed putting me more in the responsible disclosure camp.  To me this means, you find a vulnerability, you report it to the vendor and you wait for the vendor to patch before releasing your independent advisory.  The severity, based on ease of exploitation and impact of exploitation, of the issue dictates how much information to release on the issue as the whole point is to actually help increase security.  The only caveat I have to this is that I also believe that if a vendor is refusing to patch an issue, not taking the issue seriously, or someone else finds the issue and uses it publically then all bets are off and it is better to simply drop all details so that those in the protection business have a level playing field. 

In fact, the only reason I am against the whole “No More Free Bugs” movement is because if you privatize and monetize the reporting of vulnerabilities, you remove the ability to hold a vendor truly accountable by having the ability to simply “drop zero day” on them to force a fix.  Once you enter in to contracts and start accepting money for vulnerabilities — you lose your ability to force change.  That said, a pimp needs to get paid.  😉

Anyways, this whole argument is stupid.  Full Disclosure works and in my opinion responsible disclosure is a safe compromise as long as the vendor is playing along.  Verizon Business is truly biting the hand that feeds them.